https://community.isc2.org/t5/Tech-Talk/OK-Google-Bypass-the-Authentication/m-p/32293#M2214 <P>W<SPAN>hen a user pronounces the words <EM>“a capo”</EM> (Italian equivalent of the English “new line”, “new paragraph”) an <U>unspecified Google Assistant App</U> translates this as the control character \n, interpreting the phrase as if the user had pressed the Enter key, to submit the input.</SPAN></P><P>&nbsp;</P><P><SPAN>Ok Google! Do you like to process empty input? Yes! So instead of hearing a password for the app, Google Assistant is tricked&nbsp; into falling to the apps "Default Intent" which provides access to the apps main menu.&nbsp;From there, the attacker can access any functionality for any user. Nice! The security researcher that found and responsibly&nbsp;reported&nbsp;it to Google did NOT get any credit or reward&nbsp;<IMG id="smileysad" class="emoticon emoticon-smileysad" src="https://community.isc2.org/i/smilies/16x16_smiley-sad.png" alt="Smiley Sad" title="Smiley Sad" /> although Google did eventually&nbsp;fix it <A href="http://“We are doing our quality control checks, making sure the numbers are accurate." target="_blank" rel="noopener">here</A></SPAN>&nbsp;after back tracking from saying it was a "no fix".</P><P>&nbsp;</P> Mon, 09 Oct 2023 09:25:28 GMT AppDefects 2023-10-09T09:25:28Z https://community.isc2.org/t5/Tech-Talk/OK-Google-Bypass-the-Authentication/m-p/32293#M2214 <P>W<SPAN>hen a user pronounces the words <EM>“a capo”</EM> (Italian equivalent of the English “new line”, “new paragraph”) an <U>unspecified Google Assistant App</U> translates this as the control character \n, interpreting the phrase as if the user had pressed the Enter key, to submit the input.</SPAN></P><P>&nbsp;</P><P><SPAN>Ok Google! Do you like to process empty input? Yes! So instead of hearing a password for the app, Google Assistant is tricked&nbsp; into falling to the apps "Default Intent" which provides access to the apps main menu.&nbsp;From there, the attacker can access any functionality for any user. Nice! The security researcher that found and responsibly&nbsp;reported&nbsp;it to Google did NOT get any credit or reward&nbsp;<IMG id="smileysad" class="emoticon emoticon-smileysad" src="https://community.isc2.org/i/smilies/16x16_smiley-sad.png" alt="Smiley Sad" title="Smiley Sad" /> although Google did eventually&nbsp;fix it <A href="http://“We are doing our quality control checks, making sure the numbers are accurate." target="_blank" rel="noopener">here</A></SPAN>&nbsp;after back tracking from saying it was a "no fix".</P><P>&nbsp;</P> Mon, 09 Oct 2023 09:25:28 GMT https://community.isc2.org/t5/Tech-Talk/OK-Google-Bypass-the-Authentication/m-p/32293#M2214 AppDefects 2023-10-09T09:25:28Z https://community.isc2.org/t5/Tech-Talk/OK-Google-Bypass-the-Authentication/m-p/32314#M2223 <P>I'm waiting for the lawsuit when someone's AI drives them off a cliff. In the courtroom the accuser will say:</P><P>I said "Alexa, drive me over to Cliff's" and the next thing I know I'm here at the bottom of a cliff.</P> Tue, 04 Feb 2020 14:46:35 GMT https://community.isc2.org/t5/Tech-Talk/OK-Google-Bypass-the-Authentication/m-p/32314#M2223 CISOScott 2020-02-04T14:46:35Z